Retail/payment security experts from HP Security Voltage and Lancope commented on the new 3.1 release of the Payment Card Industry Data Security Standard (PCI DSS)
SearchSecurity “PCI DSS 3.1 debuts, requires detailed new SSL security management plan”
Brendan Rizzo, technical director, HP Security Voltage (www.voltage.com):
“The fact that the PCI Council saw fit to release an out-of-band update underscores the real threat that the recent SSL and TLS vulnerabilities pose to payment security. Despite the real and immediate threat, many businesses have annual budgets and resource constraints to contend with which will preclude an immediate response. The fourteen month transition time should address this issue, however companies must begin planning now in order to make sure that they do not overrun this liberal transitionary period. If companies do not start to formalize a plan for appropriate security upgrades right away, any breach that they might incur could result in tough questions being asked and, ultimately, in significant reputational damage – even if it occurs before the PCI Council’s implementation deadline.
Mark Bower, global director, product management, HP Security Voltage (www.voltage.com):
“It’s critical to understand that SSL and TLS are old technologies that pre-date the advanced threats we see today. They only protect data in transit for limited paths. TLS is often terminated at a load balancing tier, for example, before the data then enters cloud or web applications. Given the increasing risk of ‘card not present’ data theft, merchants should also evaluate the newer technologies that are available to provide end-to-end data protection of sensitive data beyond where SSL and TLS stops. These approaches can dramatically reduce risk of theft and consequential fraud losses, and also avoid the complexities of having to keep updating older methods that have diminishing value in keeping pace with today’s sophisticated attacks, malware and insider threats.”
Andrew Wild, chief information security officer, Lancope (www.lancope.com):
“The PCI SSC update 3.1 acknowledges the severity of the risk to the confidentiality of payment card transactions using encryption protocols that have known vulnerabilities. The SSC’s out-of- cycle update to the DSS is recognition of the importance of moving towards more secure protocols and away from protocols with known vulnerabilities.
The SSC has a challenging role in trying to balance the risk of vulnerable protocols against the logistical challenges faced by merchants and other organizations involved in the transmission of payment card data. Unfortunately, coordinating the widespread upgrade or replacement of payment card hardware/software isn’t trivial, given how geographically distributed the payment systems are.”